Microservices. Streaming data. Event Sourcing and CQRS. Concurrency, routing, self-healing, persistence, clustering...learn how Akka enables Java developers to do all this out of the box! Brought to you in partnership with Lightbend.

Spring Boot Actuator is a sub-project of Spring Boot. It provides several production-grade services to your application out of the box. Once Actuator is configured in your Spring Boot application, you can interact and monitor your application by invoking different HTTP endpoints exposed by Spring Boot Actuator such as application health, bean details, version details, configurations, logger details, etc.

Spring Boot includes a number of built-in endpoints, and you can also add your own or even configure existing endpoints to be exposed on any custom endpoints of your choice. It is obvious that all the endpoints cannot be exposed publicly, considering that there are many sensitive endpoints like beans, env, etc. Hence, Spring Boot also sets sensitive defaults to true for many endpoints that require a username/password when they are accessed over HTTP (or simply disabled if web security is not enabled). Health and info are not sensitive by default.

How to Enable Spring Boot Actuator

This is easy. You only need to include the following maven dependency in your existing pom.xml file:

If you are using Spring MVC on top of this, then four additional endpoints — docs, heapdump, jolokia, and logfilecan be used.

Customizing Actuator Endpoints

Spring Boot allows customizing endpoints by using Spring properties. Simply mention the properties you want to customize in your application.properties. You can customize an endpoint in three ways. You can enable or disable an endpoint, customize its sensitivity, and also its id.

The following is an example that changes the sensitivity and id of the metrics endpoint and also enables shutdown.

Securing Actuator Endpoints

As we saw, there are only two endpoints, health and info, that are by default not sensitive. But other endpoints, like loggers and beans, that are sensitive and hence require authorization to access. To access these sensitive endpoints, you can either disable the sensitivity or secure it using Spring Security.

To secure the actuator endpoints, include following maven dependency in your pom.xml file.

In Spring Boot, including the above dependencies will by default provide inbuilt form-based authentication with the userid as the user and a randomly generated password. The following entries are then required to enable basic security to your sensitive endpoints.

To access the actuator-restricted endpoints, you have to have the ACTUATOR role. It is a default configuration.

Apart from this, you can also secure actuator REST endpoints using AuthenticationManagerBuilder by extending the WebSecurityConfigurerAdapterclass provided by Spring. Here is the complete implementation using AuthenticationManagerBuilder.

Creating a Custom Actuator Endpoint

The best thing about Spring is that it always encourages developers to come up with their own configurations and implementations — and this is the case with actuator endpoints, too.

Microservices. Streaming data. Event Sourcing and CQRS. Concurrency, routing, self-healing, persistence, clustering...learn how Akka enables Java developers to do all this out of the box! Brought to you in partnership with Lightbend.